Robust Fuzzy Extractors and Authenticated Key Agreement from Close Secrets

Transcription

1 Robust Fuzzy Extractors and Authenticated Key Agreement from Close Secrets Yevgeniy Dodis Bhavana Kanukurthi Jonathan Katz Leonid Reyzin Adam Smith Abstract Consider two parties holding samples from correlated distributions W and W, respectively, where these samples are within distance t of each other in some metric space. The parties wish to agree on a close-to-uniformly distributed secret key R by sending a single message over an insecure channel controlled by an all-powerful adversary who may read and modify anything sent over the channel. We consider both the keyless case, where the parties share no additional secret information, and the keyed case, where the parties share a long-term secret SK Ext that they can use to generate a sequence of session keys {R j } using multiple pairs {(W j, W j )}. The former has applications to, e.g., biometric authentication, while the latter arises in, e.g., the bounded-storage model with errors. We show solutions that improve upon previous work in several respects: The best prior solution for the keyless case with no errors (i.e., t = 0) requires the minentropy of W to exceed 2n/3, where n is the bit-length of W. Our solution applies whenever the min-entropy of W exceeds the minimal threshold n/2, and yields a longer key. Previous solutions for the keyless case in the presence of errors (i.e., t > 0) required random oracles. We give the first constructions (for certain metrics) in the standard model. Previous solutions for the keyed case were stateful. We give the first stateless solution. Introduction A number of works have explored the problem of secret-key agreement based on correlated information, by which two parties holding samples w, w of correlated random variables W, W communicate in order to generate a shared, secret, close-to-uniform key R. The problem has variously This is an expanded and corrected version of [5, 23]. It appears in IEEE Transactions on Information Theory (on-line in 202, DOI 0.09/TIT ). Dept. of Computer Science, New York University. dodis@cs.nyu.edu. This research was supported by NSF Grants #033806, #03095, and #0552. Dept. of Computer Science, University of California, Los Angeles. bhavanak@cs.bu.edu. Work done while at Boston University. This research was supported by NSF grants #03485, #05500, #054664, #08328, #0290, and # Dept. of Computer Science, University of Maryland. jkatz@cs.umd.edu. This research was supported by NSF grants #03075, # , and # Dept. of Computer Science, Boston University. reyzin@cs.bu.edu. This research was supported by NSF grants #03485, #05500, #054664, #08328, #0290, and # Computer Science & Engineering Department, Pennsylvania State University. asmith@cse.psu.edu. Work done while at the Weizmann Institute of Science. Supported by the Louis L. and Anita M. Perlman Fellowship.

2 been called information reconciliation (especially when the challenge is to handle differences between the samples held by the parties), privacy amplification (especially in the case when W = W and the goal is to transform a nonuniform shared secret to a uniform one), or fuzzy extraction. Early work [43, 5, 26, 3] assumed the parties could communicate over a public but authenticated channel or, equivalently, assumed a passive adversary. This assumption was relaxed in later work [29, 30, 42, 27, 33], which considered an active adversary who could modify all messages sent between the two parties. The goal of the above works was primarily to explore the possibility of information-theoretic security, especially in the context of quantum cryptography; however, this is not the only motivation. The problem also arises in the context of using noisy data (such as biometric information, or observations of some physical phenomenon) for cryptographic purposes, even if computational security suffices. The same problem also arises in the context of the bounded-storage model (BSM) [28] in the presence of errors [4, 7]. We discuss each of these in turn.. Authentication Using Noisy Data In the case of authentication/key agreement using noisy data, the random variables W, W are close (with respect to some metric) but not identical. For simplicity, we assume the noisy data represents biometric information, though the same techniques apply to more general settings. In this context, two different scenarios have been considered: Secure authentication : Here, a trusted server stores some biometric data w of a user, obtained during an initial enrollment. Later, when the user and the server want to establish a secure communication session over an insecure channel, the user locally obtains a fresh biometric scan w which is close, but not identical, to w. The user and the server then use w and w to authenticate each other and agree on a key R. Key recovery : In this scenario, a user utilizes his biometric data w to generate a random key R along with some public information P, and then stores P on a (possibly untrusted) server. The key R is then used, for example, to encrypt some data for long-term storage. At a later point in time, the user obtains a fresh biometric scan w along with the value P from the server; together, these values enable the user to recover R (and hence decrypt the encrypted data). In the second setting the user is, in effect, running a key agreement protocol with himself at two points in time, with the (untrusted) server acting as the communication channel between these two instances of the user. This second scenario inherently requires a noninteractive (i.e., one-message) solution since w is no longer available at the later point in time. Note also that any solution for the second scenario also provides a solution for the first. Several protocols for key agreement using noisy data over an authenticated channel are known [5, 3, 22, 20, 6]. Most of the existing work for an unauthenticated channel, however, solves the problem only for two special cases [29, 30, 42, 27, 33]: () when W = W, or (2) when W and W consist of (arbitrarily many) independent realizations of the same random variable; i.e., W = (W (), W (2),...) and W = (W (), W (2),...). In the case of biometric data, however, W, W are not likely to be equal and we cannot in general obtain an unbounded number of samples. Recently, there has been progress on the general case. Renner and Wolf [34] were the first to demonstrate that an interactive solution is possible. Their protocol was not efficient, but an efficient version was later given [24]. Boyen [8] showed (in the random oracle model) how to achieve unidirectional authentication, as well as a weak form of security for the second scenario (roughly, 2

3 R remains secret but the user can be fooled into using an incorrect key R ). Boyen et al. [9] showed two solutions to the problem. Their first solution is noninteractive and thus applies to both scenarios above, but relies on random oracles. Their second solution is interactive, and relies on password-based key exchange as a primitive. This means that it provides computational rather than information-theoretic security; furthermore, given the current state-of-the-art for password-based key exchange, their solution is impractical without additional assumptions such as random oracles or the existence of public parameters..2 The Bounded-Storage Model and the Keyed Case Key agreement using correlated information arises also in the context of the bounded-storage model (BSM) [28] in the presence of errors [4, 7]. In the BSM, two parties share a long-term secret key SK BSM. In each time period j, a long random string Z j is broadcast to the parties (and the adversary); the assumption is that the length of Z j is more than what the adversary can store. The parties use SK BSM and Z j to generate a secret session key R j in each period. This process should achieve everlasting security [], meaning that even if SK BSM is revealed to the adversary in some time period n, all session keys {R j } j<n remain independently and uniformly distributed from the perspective of the adversary. A paradigm (formalized by [39]) for achieving the above is for SK BSM to contain a seed SK Sam for a sampler and another seed SK Ext for a randomness extractor. The parties use SK Sam to sample some portion of Z j in each period; in the absence of errors, this results in each party holding the same value w j. Since the adversary may have some partial information about w j, however, this shared value is not uniformly distributed from the point of view of the adversary, and the parties must therefore use a randomness extractor with the seed SK Ext to generate a uniform key R j for the current period. In the presence of transmission errors in Z j the problem is even more difficult, as the parties then hold correlated (but possibly unequal) strings w j, w j after the initial sampling. The parallels to biometric authentication should be clear. Nevertheless, the problems are incomparable: in the case of the BSM with errors there is a stronger setup assumption (namely, that the parties share a long-term key SK BSM ) but the security requirements are more stringent since SK BSM needs to be reusable and everlasting security is required..3 Our Contributions We focus on the abstract problem of secret-key agreement between two parties holding instances w, w of correlated random variables W, W that are guaranteed to be close but not necessarily identical. Specifically, we assume that w and w are within distance t in some underlying metric space. Our definitions as well as some of our results hold for arbitrary metric spaces, while other results assume specific metrics. We restrict our attention to noninteractive protocols defined by procedures (Gen, Rep) that operate as follows. The first party, holding w, computes (R, P ) Gen(w) and sends P to the second party; this second party computes R Rep(w, P ). (If the parties share a long-term key SK Ext then Gen, Rep take this key as additional input.) The basic requirements, informally, are Correctness: R = R whenever w is within distance t of w. A sampler [2] is a function that maps SK Sam to a set of bit positions. In fact, SK Sam may simply encode a set of randomly chosen bit positions, but better samplers using shorter seeds are available. 3

4 Security: If the min-entropy of W is high, then R is uniformly distributed even given P. So far, this gives exactly a fuzzy extractor as defined by Dodis et al. [6] (although we additionally allow the possibility of a long-term key). Since we are interested in the case when the parties communicate over an unauthenticated channel, however, we actually want to construct robust fuzzy extractors [9] that additionally protect against malicious modification of P. Robustness requires that if the adversary sends any modified value P P, then with high probability the second player will reject (i.e., Rep(w, P ) = ). We distinguish between the notion of pre-application robustness and the stronger notion of post-application robustness, where in the latter case the adversary is given R before it generates P. Post-application robustness is needed in settings where the first party may begin using R before the second party computes R, and is also needed for the key recovery scenario discussed earlier (since previous usage of R may leak information about it). We now summarize our results: The case of no errors. Although our focus is on the case when W, W are unequal, we obtain improvements also in the case when they are equal (i.e., t = 0) but nonuniform. Let m denote the min-entropy of W and let n m denote its bit-length. The best previous noninteractive solution in this setting is due to Maurer and Wolf [27] who show that when m > 2n/3 it is possible to achieve pre-application robustness and generate a shared key R of length m 2n/3. On the other hand, results of [8, 9] imply that a non-interactive solution is impossible when m n/2. (As shown in [27, Section III-C], interactive solutions can do better; in fact, it is possible for the length of R to be nearly m [33, 9, ].) We bridge the gap between known upper- and lower-bounds and show that whenever m > n/2 it is possible to achieve pre-application robustness and generate a shared key R of length 2m n. This improves both the required min-entropy of W and the length of the resulting key. Moreover, we give the first solution satisfying post-application robustness. That solution also works as long as m > n/2, but extracts a key half as long (that is, of length m n/2). Handling errors. The only previously known construction of robust fuzzy extractors [9] relies on the random oracle model. We (partially) resolve the main open question of [9] by showing a construction of robust fuzzy extractors in the standard model for the specific cases of the Hamming and set-difference metrics. 2 (The solution in [9] is generic and applies to any metric admitting a good error-correcting code.) Our construction achieves post-application robustness. The techniques of this paper were subsequently generalized in [2]. Using a shared long-term key. There are scenarios in which the two parties trying to derive R from w and w already share a long-term secret key. Motivated by such settings, we define and construct a keyed robust fuzzy extractor for general metrics. In the process, we introduce a new primitive called an extractor-mac : a one-time information-theoretic message authentication code whose output is independent of the key if the message has sufficient entropy. Application to the BSM with errors. Prior work focusing on the BSM with errors [4, 7] showed a noninteractive (i.e., single-message) solution to the problem discussed in Section.2 when the samples w j, w j of the parties have constant relative Hamming distance. The solution of [4] is stateful: the long-term key SK BSM is updated by both parties after each time period using information derived from Z j. If a party misses a time period and is no longer synchronized with 2 A previous version of this work [5] contained an erroneous claim of a construction for edit distance, which proceeded by embedding edit distance into set difference using shingling (see [6]). That construction does not work, however, because the embedding fails to preserve the requirement that m > n/2. 4

5 the other party, it is not clear how to recover. The solution of [7] is stateless; the parties keep the same long-term key SK BSM and can communicate even if one of them misses some Z j. However, this solution assumes the parties can communicate over an authenticated channel. Building on keyed robust fuzzy extractors, we show a stateless solution for the BSM with errors (under the Hamming metric) using an unauthenticated channel. 2 Definitions and Preliminaries For strings a and b, we use a b to denote their concatenation and let a denote the length of a. If S is a set, x S means that x is chosen uniformly from S. If X is a probability distribution, then x X means that x is chosen according to X. The notation Pr X [x] denotes the probability assigned by X to the value x. (We often omit the subscript when the probability distribution is clear from context.) If A is a probabilistic algorithm and x is an input, A(x; ω) denotes the output of A running with random coins ω, and A(x) is the random variable A(x; ω) for uniformly sampled ω. If X is a distribution, then A(X) is the random variable obtained by sampling x X and then running A(x). We let U l denote the uniform distribution over {0, } l. All logarithms are base 2. Let X, X 2 be two probability distributions over some set S. Their statistical distance is s S Pr X [s] Pr X2 [s]. If two distributions have statistical distance at most ε, SD (X, X 2 ) def = 2 we say they are ε-close and write X ε X 2. Note that ε-close distributions cannot be distinguished with advantage better than ε by an adversary who gets a single sample, even if the adversary is computationally unbounded. The min-entropy of a random variable X is defined as H (X) = log(max x Pr X [x]). Following [6], we define the (average) conditional min-entropy of X given Y as H (X Y ) = log H (X Y (E y Y (2 =y))) (where the expectation is over y for which Pr[Y = y] is nonzero). This definition is suited for cryptographic purposes because the probability that an adversary can predict X when given the value of Y is 2 H (X Y ). Lemma ([6, Lemma 2.2]) Let Y have at most 2 λ elements in its support. Then H (X Y ) H (X, Y ) λ. (More generally, H (X Y, Z) H (X, Y Z) λ.) 2. Hash Functions and Extractors We recall the notion of almost-universal hashing [0, 36]. Definition A family of efficient functions H = { h i : {0, } n {0, } l} is δ-almost universal i I if for all x x we have Pr i I [h i (x) = h i (x )] δ. Families with δ = 2 l are called universal. A simple universal family [36, Theorem 5.2] can be constructed by identifying I and {0, } n with GF (2 n ) in the natural way, and defining h i (x) as the high-order l bits of i x. Extractors [3] yield a (close to) uniform string from a random variable with high min-entropy, using a uniform seed i. Strong extractors guarantee that the extracted string is uniform even conditioned on the seed. We consider only strong extractors in this paper, and thus often omit the qualifier strong. 5

6 Definition 2 Let I be a set and the uniform distribution over that set. A function Ext : {0, } n I {0, } l is a strong (m, -extractor if for all distributions X over {0, } n with H (X) m we have SD ((Ext(X; I), I), (U l I)) ε. We refer to the second argument to Ext as the seed. We need to strengthen the above definition to account for external information E an adversary knows that may be correlated with X. To do so, we generalize the min-entropy constraint on X to average min-entropy, and require the extracted string to be uniform even given E. Namely, we require that for any X, E such that H (X E) m we have SD ((Ext(X; I), I, E), (U l I E)) ε. Such extractors are called average-case extractors. Note that any (m log (, ε )-extractor is an (m, ε + ε )-average-case extractor, because Pr e E [H (X e) m log ( ] ε by Markov s inequality; Vahdan [40] proves the stronger statement that any (m, -extractor for m n is also an (m, 3-average-case extractor. However, the additional loss is not always necessary. Indeed, the Leftover Hash Lemma generalizes without any loss to the average-case setting. (Multiple versions of this lemma have appeared; we use the formulation of [37, Theorem 8.], augmented by [6, Lemma 2.4] for the average case; see [2] and references therein for earlier formulations.) Lemma 2 (Leftover Hash Lemma) Fix l, m, ε > 0. If H = {h i : {0, } n {0, } l } i I is a (2 l ( + 4ε 2 ) 2 m )-almost universal family, then H is a strong (m, -average-case extractor (where the index of the hash function is the seed to the extractor). In particular, if H is universal and l m log (, then H is a strong (m, -average-case extractor. The above holds even when H depends on E, i.e., when H = {H e } e E is a collection of almostuniversal families, one for each value of the external information E. 2.2 One-Time Message Authentication Codes An (information-theoretic) one-time message authentication code (MAC) consists of polynomialtime algorithms (Mac, Vrfy). The first algorithm takes a key SK and a message M {0, } n and outputs a tag t; we write this as t = Mac SK (M). The verification algorithm Vrfy takes as input a key SK, a message M {0, } n, and a tag t, and outputs either or 0, with the former being interpreted as acceptance and the latter as rejection. Correctness requires that for all SK and all M {0, } n, we have Vrfy SK (M, Mac SK (M)) =. Security requires that when SK is chosen uniformly, an unbounded adversary cannot output a valid tag on a new message even after being given the tag on any message of its choice. Formally: Definition 3 Message authentication code (Mac, Vrfy) is a δ-secure one-time MAC if for any adversary A and any message M, the probability that the following experiment outputs success is at most δ: Choose uniform key SK; let t = Mac SK (M); let (M, t ) A(t); output success if M M and Vrfy SK (M, t ) =. We next recall the notion of (almost) strongly universal hashing [4, 36]. Definition 4 A family of efficient functions H = { h i : {0, } n {0, } l} is δ-almost strongly i I universal if for all x x, y, y it holds that: (a) Pr i I [h i (x) = y] = 2 l and (b) Pr i I [h i (x) = y h i (x ) = y ] δ2 l. Families with δ = 2 l are called strongly universal or pairwise independent. A strongly universal family [36, Theorem 5.2] is obtained by identifying {0, } n with GF 2 n, letting I = GF (2 n ) {0, } l, and defining h a,b (x) as the high-order l bits of (a x) b. 6

7 An almost strongly universal hash family can be used for information-theoretic authentication of a message M using a secret key i, by letting the tag be t = h i (M). The property of being δ-almost strongly universal implies that this is a δ-secure one-time MAC. 2.3 Secure Sketches and Fuzzy Extractors We review the definitions of secure sketches and fuzzy extractors from [6]. Let M be a metric space with distance function dis. Informally, a secure sketch enables recovery of a string w M from any close string w M, without leaking too much information about w. Definition 5 An (m, m, t)-secure sketch for M is a pair of efficient randomized algorithms (SS, SRec) such that:. The sketching procedure SS takes an input w M and outputs a string s {0, }. The recovery procedure SRec takes as inputs an element w M and a string s {0, }, and returns an element of M. 2. Correctness: If dis(w, w ) t then SRec(w, SS(w)) = w. 3. Security: For any distribution W over M with H (W ) m, we have H (W SS(W )) m. The quantity m m is called the entropy loss of the secure sketch. For the case of the Hamming metric on M = {0, } n, we will make use of the syndrome construction from [6] (this construction also appeared as a component of earlier work, e.g., [4]). Here the sketch s = SS(w) consists of the k-bit syndrome 3 of w with respect to some (efficiently decodable) [n, n k, 2t + ]-error-correcting code. We do not need any details of this construction other than the facts that s is a (deterministic) linear function of w and that the entropy loss is at most s = k. We also note that this construction can be extended to the set-difference metric [6]. As opposed to a secure sketch, whose goal is to recover the original input, a fuzzy extractor enables generation of a close-to-uniform string R from w, and subsequent reproduction of R from any w close to w. Definition 6 An (m, l, t, -fuzzy extractor for M is a pair of efficient randomized algorithms (Gen, Rep) such that:. The generation procedure Gen takes input w M and outputs an extracted string R {0, } l and a helper string P {0, }. The reproduction procedure Rep takes as inputs an element w M and a string P {0, }, and returns a string in {0, } l. 2. Correctness: If dis(w, w ) t and (R, P ) is output by Gen(w), then Rep(w, P ) = R. 3. Security: For any distribution W over M with min-entropy m, the string R is close to uniform conditioned on P. I.e., if H (W ) m and (R, P ) Gen(W ), then SD ((R, P ), (U l P )) ε. 3 If H is the parity matrix for a linear code C (i.e., c C iff ch T = 0), then the syndrome of a vector w is wh T. 7

8 Composing an (m, m, t)-secure sketch with an average-case ( m, -extractor Ext: M I {0, } l yields a (m, l, t, -fuzzy extractor with P = (SS(w), i) and R = Ext(w; i) (see [6, Lemma 4.]). Just as with ordinary extractors, a more general definition of fuzzy extractors accounts for external information E and requires that for any W, E with H (W E) m it holds that SD ((R, P, E), U l (P, E)) ε. A fuzzy extractor satisfying this definition is called an averagecase fuzzy extractor, and all known constructions satisfy this more general definition. In this work we will also use keyed fuzzy extractors where both Gen and Rep use the same key SK Ext, which is uniform and independent of the input distribution W. Here we require the additional security property that SK Ext, R are independently uniform conditioned on P. This stronger requirement stems from the fact that SK Ext needs to be reusable; thus, it should remain uniform and independent of P, R in order to be useful next time. This requirement implies (by a hybrid argument) that keyed fuzzy extractors can be used multiple times (with the same key SK Ext ) to extract independent keys {R j } from independent {W j }. It also implies that any extracted key R j remains uniform even to an adversary who learns SK Ext and P j (but not w j ). Definition 7 An (m, l, t, -keyed fuzzy extractor for M is a pair of efficient randomized algorithms (Gen, Rep) such that:. Algorithm Gen, on input a key SK Ext and w M, outputs R {0, } l and P {0, } ; we denote this by (R, P ) Gen SKExt (w). Algorithm Rep takes as input a key SK Ext, an element w M, and a string P {0, }, and returns a string in {0, } l ; we denote this by R Rep SKExt (w, P ). 2. Correctness: For any key SK Ext, if dis(w, w ) t and (R, P ) is output by Gen SKExt (w), then it holds that Rep SKExt (w, P ) = R. 3. Security: If SK Ext is uniform, the distribution W over M is such that H (W ) m, and (R, P ) Gen SKExt (W ), then SD ( SK Ext (R, P ), U SKExt U l P ) ε. For some applications we need to impose the additional condition that, informally, P not reveal any information about the distribution W. Formally, the distribution P should be the same regardless of the distribution W, as long as W has sufficient min-entropy. It is easiest, though slightly more restrictive than necessary, to simply require P to be uniform (for any W with sufficient min-entropy). That is, we say that (Gen, Rep) has uniform helper strings if the security condition is strengthened to require SD ( SK Ext (R, P ), U SKExt U l U P ) ε. This additional security condition was subsequently explored in the setting of interactive key agreement [7]. This additional requirement may seem strange: after all, security of a fuzzy extractor depends not on secrecy of the distribution W, but only on the fact that W has high min-entropy, which ensures that the specific sample w is secret. However, there are applications that need the distribution W to be kept secret, and the public output of the fuzzy extractor can harm them if this requirement is not satisfied. The specific application considered in this paper is to the bounded-storage model (introduced in Section.2 and addressed in detail in Section 4.3). In this application, the input distribution to the fuzzy extractor depends on the sampling seed SK Sam, which needs to remain secret so that it can be reused. 8

9 2.4 Robust Fuzzy Extractors Fuzzy extractors protect against a passive attack in which an adversary observes P and tries to learn something about the extracted key R. However, the definition says nothing about what happens if an adversary can modify P as it is sent to the user holding w. That is, there are no guarantees about the output of Rep(w, P ) for P P. Boyen et al. [9] propose the notion of robust fuzzy extractors, which provide strong guarantees against such an attack. Specifically, Rep can now output either a key or a special value (denoting fail ). The definition requires that with high probability any value P P produced by the adversary (after being given P ) causes Rep(w, P ) to output. Modified versions of the public information P will therefore be detected. We consider two variants of this idea, depending on whether Gen and Rep additionally share a long-term key SK Ext. (Boyen et al. considered only the keyless version.) Furthermore, we distinguish between two adversarial attacks, and thus two notions of robustness, depending on whether the adversary has access to R when modifying P. Indeed, if R is used (e.g., for encryption) and the adversary can observe some effect of this use (e.g., the ciphertext) before modifying P, then the notion of robustness from Boyen et al. (in which the adversary is given no information about R) is insufficient. Our stronger notion accounts for this by giving the adversary access to R in addition to P. This is a conservative choice that results in a broadly applicable definition: security holds regardless of how R is used and whether it remains hidden partially, computationally, or not at all. We call this stronger notion post-application robustness, and refer to the original notion (where R is not given to the adversary) as pre-application robustness. Pre-application robustness suffices if the adversary s ability to modify P ends prior to any observable use of R. If W, W are two (correlated) random variables over a metric space M, we say dis(w, W ) t if the distance between W and W is at most t with probability one. We call (W, W ) a (t, m)-pair if dis(w, W ) t and H (W ) m. Definition 8 An (m, l, t, -fuzzy extractor has post-application (resp., pre-application) robustness δ if for all (t, m)-pairs (W, W ) and all adversaries A, the probability that the following experiment outputs success is at most δ: Sample (w, w ) from (W, W ); let (R, P ) Gen(w); let P A(R, P ) (resp., P A(P )); output success if P P and Rep(w, P ). The definition is illustrated in Figure. Note that the definition is interesting even when w = w (i.e., when t = 0), because ordinary extractors are not usually robust. We construct (keyless) robust fuzzy extractors in Section 3, and keyed robust fuzzy extractors in Section 4. The definition of robust extractors composes with itself in some situations. For example, a generalization of the above (used in [9]) allows the adversary to output ( P,..., P j ); the adversary succeeds if there exists an i with Rep(w, P i ). A simple union bound shows that the success probability of an adversary in this case increases at most linearly in j. Similarly, suppose two players (Alice and Bob) receive a sequence of pairs of random variables (W, W ), (W 2, W 2 ),..., (W j, W j ) (with Alice receiving the {W i} and Bob receiving the {W i }), such that dis(w i, W i ) t for all i, and the entropy of W i conditioned on the information {(W k, W k )} k<i from prior time periods is at least m. Alice and Bob can agree on random and independent keys R,..., R j by having Alice apply Gen from a robust average-case fuzzy extractor to each W i and then send P i to Bob. The attacker s advantage in distinguishing the vector of unknown keys from random is at most jε (this follows by a hybrid argument that replaces extracted keys by random strings one a time, starting with the most recent one). The attacker s probability of forging a 9

10 w SK Ext (a) w! P P ~ Gen A Rep R (b) R or! Figure : Robust extractors (cf. Definition 8). Dashed lines indicate variations in the definition: (a) Keyed extractors take an additional input SK Ext shared by Gen and Rep. (b) For pre-application robustness, the adversary does not have access to the extracted key R. valid P i is at most δ in any given period i (this can be shown by simply giving the attacker (W, W ),..., (W i, W i )); thus, the overall probability of forgery over all time periods is at most jδ. For keyed fuzzy extractors, robustness is defined exactly as in Definition 8 with the only difference being that Gen and Rep both use the same (uniform) key SK Ext (which is not given to the adversary); see Figure. At first glance, the addition of a long-term key may seem to trivialize the problem of constructing robust fuzzy extractors. For example, one might attempt to use SK Ext as a key for a message authentication code and, given output (R, P ) from a fuzzy extractor, simply append to P the tag Mac SKExt (P ). While this may work in the computational setting, it will not suffice in the information-theoretic setting if we want to support an unbounded number of time periods (or if we want to use a key SK Ext whose length does not grow linearly in the number of time periods supported). Furthermore, such a construction will not satisfy the security property of Definition 7 because SK Ext will not be uniform conditioned on P and Mac SKExt (P ). 3 Constructing (Keyless) Robust Fuzzy Extractors We begin by analyzing the case of no errors (i.e., t = 0), and then consider the more general case. 3. The Errorless Case (w = w ) Consider the case where M = {0, } n and Alice and Bob hold the same sample w {0, } n of a random variable W. In the presence of a passive adversary, Alice and Bob can agree on a uniform key using a strong extractor Ext. Phrased using the terminology of fuzzy extractors (with t = 0 here), Alice runs Gen(w) which simply samples a seed P for Ext, and sends P to Bob; both Alice and Bob then output the key R = Rep(w, P ) = Ext(w, P ). This solution does not work if the adversary is active, which is why robust fuzzy extractors are interesting even in the errorless case. In particular, if an adversary forwards P P to Bob then there is no longer any guarantee on Bob s output Ext(w; P ); in fact, it is easy to show a construction of a strong extractor Ext with the property that a maliciously generated P completely determines Bob s key R = Ext(w; P ). One idea to address this is for Alice to authenticate P using the key R she extracts, and then send the authentication tag along with P to Bob. In general this does not work either: if the adversary forwards P P to Bob, then it may be easy for the adversary to generate a forged tag with respect 0

11 n v bits a v bits b i X v R [ia] n-2v bits v bits + σ Figure 2: Construction for the errorless case. to the key R that Bob derives. Instead, we use w itself to authenticate P and show that this approach works for a particular choice of strong extractor and message authentication code. We define algorithms Gen, Rep as follows. To compute Gen(w), parse w as two strings a and b of lengths n v and v, respectively, where v < n/2 is a parameter of the construction. View a as an element of GF 2 n v and b as an element of GF 2 v (the representation of field elements does not matter, as long as addition in the field corresponds to exclusive-or of bit strings). Choose random i GF 2 n v, let [ia] n v v+ denote the most significant n 2v bits of ia GF 2 n v, and let [ia]v denote the remaining v bits of ia. View [ia] v as an element of GF 2 v. Then compute σ = [ia]v + b, set P = (i, σ), and let the extracted key be R = [ia] v+ n v. See Figure 2. Rep(w, P ), where P = (i, σ ), proceeds as follows. Parse w as two strings a and b as above. Then verify that σ = [i a] v + b and output if this is not the case. Otherwise, compute the extracted key R = [i a] n v v+. The following theorem states the parameters for which (Gen, Rep) is a robust fuzzy extractor. (Since t = 0 here, the metric over {0, } n is irrelevant.) Observe that extraction is possible as long as H (W ) def = m > n/2, and in the case of pre-application robustness (which is the notion considered in [27]) we extract a key of length roughly 2m n. This improves on the result of Maurer and Wolf [27] who require m > 2n/3 and extract a key of length roughly m 2n/3. Theorem 3 Fix v, and let l = n 2v be the length of the extracted key. Then: For any ε, δ satisfying l 2m n max { 2 log ( δ ), 4 log ( }, (Gen, Rep) is an (m, l, 0, -fuzzy extractor with pre-application robustness δ. For any ε, δ satisfying { ( 2m n 2 log δ l min 3 ), 2m n 4 log ( }, (Gen, Rep) is an (m, l, 0, -fuzzy extractor with post-application robustness δ. Proof We show that R {0, } l is close to uniform conditioned on P, and then argue robustness.

12 Extraction. We begin by showing that H = {h i : h i (a, b) def = (σ, R)} is a universal hash family. Indeed, for (a, b) (a, b ) we have [ Pr i [h i (a, b) = h i (a, b )] = Pr i [ia] v [ia ] v = b b [ia] v+ n v = [ia ] v+ n v This is equivalent to Pr i [ i(a a ) = 0 n 2v (b b) ], where denotes concatenation (this is because we insisted that addition/subtraction in the finite fields corresponds to bitwise exclusive-or). If a = a then we must have b b and so the probability is 0. If a a, then there is a unique i that satisfies the equality. Thus, the probability is at most / GF 2 n v = 2 v n. Using the above and the leftover hash lemma (Lemma 2) we see that (R, P ) = (R, (i, σ)) is 2 ((l+v) m 2)/2 ε/2-close to (U l U n v U v ) or, put differently, that SD ((R, P ), U l U n ) ɛ/2. This implies SD ((R, P ), U l P ) ɛ using the triangle inequality. Pre-application robustness. We prove the stronger result that robustness holds for worst-case choice of i. Fix i and A, and let Succ be the event that A succeeds. Since A is unbounded, we may assume it is deterministic. Upon observing σ, the adversary outputs A(σ) = (i, σ ) (i, σ). If i = i, then Rep will reject unless σ = σ; therefore, we need only consider the case i i. By definition, A succeeds only if σ = [i a] v + b. Call a triple (σ, i, σ ) a transcript, and say it is possible if A(σ) = (i, σ ). For any possible transcript tr = (σ, i, σ ) the following holds (in the probability expressions below, a b are chosen according to the distribution W conditioned on tr or, equivalently, conditioned on σ): Pr[Succ tr] = Pr a b [ [ia] v + b = σ [i a] v + b = σ ] [ = Pr a b [ia] v [i a] v = σ σ b = σ [ia] v ] = Pr a b [ [(i i )a] v = σ σ b = σ [ia] v ], where the final equality holds because we insisted that addition/subtraction in our fields corresponds to bitwise exclusive-or. The term (i i ) a takes on each possible value in GF 2 n v exactly once as a varies; therefore, there are 2 n v /2 σ = 2 n 2v values of a for which [a(i i )] v = σ σ. For each such value of a, there is a unique value of b that satisfies b = σ [ia] v. Each (a, b) pair occurs with probability at most 2 H (W σ). Thus, Pr[Succ tr] 2 n 2v 2 H (W σ). The overall success probability of A is given by E tr [Pr[Succ tr]] 2 n 2v E tr [ 2 H (W σ) ] = 2 n 2v 2 H (W σ). Since σ = v, we have H (W σ) m v and we conclude that Pr[Succ] 2 n v m δ. Post-application robustness. Because R = l, providing R to the adversary can increase its success probability by a multiplicative factor of at most 2 l as compared to pre-application robustness. 4 Thus, if 3l 2m n 2 log ( ) δ the adversary s success probability (in the postapplication robustness game) is at most 2 l 2 n v m = 2 l 2 (n+l 2m)/2 δ. 4 One might hope to improve this analysis, but we show in Appendix A that the analysis here is essentially tight. ]. 2

13 3.. Improved Post-Application Robustness In this section, we present a construction of an extractor with post-application robustness that extracts a key of length m n/2 log ( ) δ, an improvement by a factor of 3/2 as compared to the construction given above. Assume n is even for simplicity. To compute Gen(w), let a and b denote the first and last halves of w, respectively, and view a and b as elements of GF 2 n/2. Choose a random i GF 2 n/2 and compute y = ia + b. Let σ be the first v bits of y, where v < n/2 is a parameter of the scheme, and let R be the remainder of y; i.e., σ = [y] v and R = [y]n/2 v+. Output P = (i, σ). Rep(w, P ), where P = (i, σ ), proceeds in the obvious way: Parse w as two strings a, b as above. Then verify that σ = [i a + b] v and output if this is not the case. Otherwise, compute the extracted key R = [i a + b] n/2 v+. Before giving the formal proof, we provide some intuition as to why this construction has better post-application robustness. Recall that in the previous construction w is parsed as two strings a and b of lengths n v and v, respectively, and the values σ, R are computed as σ = [ia] v + b and R = [ia] n v v+. Increasing v improves robustness but decreases the number of extracted bits. For pre-application robustness, setting v = n m + log ( ) δ suffices, and thus the construction extracts nearly (2m n) bits. For post-application robustness, however, a larger v must be used and consequently the number of extracted bits is decreased. The post-application robustness game reveals more information to the adversary A about w than the pre-application robustness game. This additional information namely, R itself may make it easier for A to guess σ. The key to our improvement is to use the pairwise-independent function h i (a, b) = ia + b to compute both σ and R. Because of pairwise independence, the value (σ, R) of h i (a, b) leaks nothing about the value (σ, R ) = h i (a, b) for any i i. (This holds when (a, b) is uniform; when (a, b) has min-entropy m, then A may have up to n m bits of information about σ.) In contrast, in the previous construction only σ was computed using a pairwise-independent hash function. This works better for pre-application robustness (because b can be taken shorter), but worse for post-application robustness. Theorem 4 Fix v, and let l = n/2 v be the length of the extracted key. satisfying Then for any ε, δ l m n/2 log δ m n/2 + 2 log ε, (Gen, Rep) is an (m, l, 0, -fuzzy extractor with post-application robustness δ. Proof We first show that R {0, } l is nearly uniform given P. The proof proceeds along the lines of the analogous proof for Theorem 3. As before, we begin by showing that H = {h i : h i (a, b) = (σ, R)} is universal. Indeed, for (a, b) (a, b ) we have Pr i [h i (a, b) = h i (a, b )] = Pr i [ia + b = ia + b ] = Pr i [i(a a ) = (b b )],. If a = a then b b and so Pr i [i(a a ) = (b b )] = 0. If a a, then there is a unique i for which i(a a ) = (b b ), and so Pr i [i(a a ) = (b b )] = 2 n/2. 3

14 The above and Lemma 2 imply that (i, R, σ) is 2 (n/2 m)/2 -close to U n/2 U l U v. As in the previous proof, and recalling that P = (i, σ), this means that SD ((R, P ), U l P ) 2 (n/2 m)/2 ɛ. Post-application robustness. As in the previous proof, we prove that robustness holds for worstcase choice of i. Fix i and A, and let Succ be the event that A succeeds. Since A is unbounded, we may assume it is deterministic. Thus, upon observing σ, R the adversary outputs (i, σ ) (i, σ); the adversary succeeds if [i a + b] v = σ. Note that if i = i then Rep will reject unless σ = σ; therefore, we need only consider the case i i. We now let a transcript be a tuple tr = (σ, R, i, σ ), and say it is possible if A(σ, R) = (i, σ ). For any possible transcript tr = (σ, R, i, σ ) we have the following (in the probability expressions below, a b are chosen according to the distribution W conditioned on tr or, equivalently, conditioned on σ): [( ) ( Pr[Succ tr] = Pr a b ia + b = σ R [i a + b] v [( ) = σ )] ( = ia + b = σ R i a + b = σ R )]. R {0,} l Pr a b For any fixed R, there is a unique value (a, b) for which ia + b = σ R and i a + b = σ R. Each (a, b) pair occurs with probability at most 2 H (W σ,r). We thus see that Pr[Succ tr] 2 l 2 H (W σ,r). The overall success probability of A is given by E tr [Pr[Succ tr]] 2 l 2 H (W σ,r). Since σ + R = n/2, we have H (W σ, R) m n/2 and so Pr[Succ] 2 l m+n/2 δ Authenticating a Message While Extracting Each of the constructions given previously uses the parties input w to authenticate the extractor seed i. Each construction can be extended to additionally authenticate a message M, i.e., to be simultaneously a robust fuzzy extractor and an information-theoretic one-time MAC. In this setting, both Gen and Rep will take an additional input M, and it should be difficult for an adversary to cause Rep to accept a different M. (We are being informal here since this is merely a stepping stone to the results of the following section.) This could be done naively by using (a part of) R as a key for a MAC, but this would correspondingly reduce the final number of extracted bits. In contrast, the approach presented here (almost) does not reduce the length of R at all. We show how to extend the original construction given at the beginning of Section 3.; the construction of Section 3.. can be extended similarly. We adapt a standard technique [6, 3, 38] for authenticating messages using polynomial-based almost-universal hash functions. Let M = L (n v), where L is known to both parties in advance. Split M into L chunks M 0,..., M L, each n v bits long, and view these as coefficients of a polynomial M(x) GF 2 n v[x] of degree L. To compute Gen(w, M), parse w as a b, choose random i GF 2 n v, compute σ = [a 2 M(a) + ia] v + b, and set P = (i, σ). As before, the extracted key is R = [ia] v+ n v. The procedure Rep, given w, M, and P = (i, σ ), verifies that M = L (n v) and that σ = [a 2 M (a) + i a] v + b. If so, it accepts M as valid and additionally outputs R = [i a] v+ n v. 4

15 Extraction and robustness (which here means that neither i nor M can be modified without detection) are proved in a manner very similar to the proof of Theorem 3. Fix arbitrary M, known to the adversary. To argue that R is nearly uniform given P = (i, σ), we will show that H = {h i : h i (a, b) def = (σ, R)} is universal. Indeed, for (a, b) (a, b ), we have ))] Pr i [h i (a, b) = h i (a, b )] = Pr i [i (a a ) = ( 0 n 2v ( [(a ) 2 M(a ) a 2 M(a) ] v + b b If a = a then b b and the above equality cannot be satisfied; if a a, there is a unique i satisfying the equality. This proves universality. The rest of the proof proceeds as before. For (pre-application) robustness, fix arbitrary M and i (known to A) and proceed as before. The only difference is that we now need to compute the number of values of a for which [a 2 M(a) + ia a 2 M (a) i a] v = σ σ. () The crucial property is that the polynomial x 2 M(x) + ix x 2 M (x) i x is nonconstant if (M, i) (M, i ). A nonconstant polynomial of degree at most L + can take on a given value at most L + times; hence, there are at most (L + )2 n 2v values of a satisfying Eq. (). The probability that the adversary succeeds (in changing either i or M without being detected) is thus at most (L + ) 2 n v m. Note that the resulting forgery probability is affected only by a multiplicative factor of (L + ); since we expect (L + ) /δ in practice, the impact is small. 3.2 Adding Error-Tolerance (w w ) We now consider settings when the input w held by the second party is close, but not identical to, the input w used by the first party. An obvious first attempt is to include a secure sketch s = SS(w) along with (i, σ), and to authenticate s using the message-authentication technique discussed in the previous section; s would allow recovery of w from w, and then verification could proceed as before. Unfortunately, this does not quite work: if the adversary modifies the sketch s, then a different value w w may be recovered; however, the results of the previous section apply only when the receiver uses the same w as the sender. In effect, we have a circularity: the receiver uses w to verify that s was not modified, but the receiver computes w (from w ) using a possibly modified s. We show how to break this circularity using a modification of the message-authentication technique from earlier. The key idea is to exploit algebraic structure in the metric space, and to change the message authentication code so that it remains secure even when the adversary can influence the key (this is sometimes referred to as security against related-key attacks ; our approach was generalized in [2]). Specifically, we first treat the case where the distance between w and w is small in the Hamming metric; in Section we extend the approach to the set-difference metric. Another problem arises from the fact that the performance of our previous constructions degrades not only when the min-entropy m of the input decreases, but also when the entropy gap g = n m increases (for example, Theorem 3 can extract roughly m g bits with pre-application robustness). Because s reveals information about w, the entropy of w from the adversary s point of view decreases, and the entropy gap increases. An important idea is to limit this increase by using the (shorter) part of w that is independent of s., 5

16 3.2. Tolerating Binary Hamming Errors We begin by extending the construction presented at the beginning of Section 3. to tolerate binary hamming errors; we then extend the construction from Section 3... Our metric space is M = {0, } n and the distance between two strings is Hamming distance i.e., the number of bit positions in which they differ. Suppose the input W is a distribution of min-entropy m over M, and that w is guaranteed to be within distance t of w. Our starting point is to use a deterministic, linear, secure sketch s = SS(w) that is k bits long; let n = n k and note that H (W SS(W )) m k. We assume that SS is a surjective, linear function (this is the case for the syndrome sketch for the Hamming metric), and so there exists a k n matrix S of rank k such that SS(w) = S w. Let S be an n n matrix such that the n n matrix ( ) S S has full rank. We let SS (w) def = S w. One can view SS (w) as the information remaining in w once SS(w) has been learned by the adversary. We define Gen, Rep as follows. Gen, on input w, begins by computing s = SS(w) and c = SS (w). It then parses c {0, } n as two strings a, b with a = n v and b = v, where v n /2 (so k a b ) is a parameter of the construction. Letting L = 2 2(n v), it pads s with 0s to length L(n v) and parses the resulting string as s L s L 2 s 0 with s i GF 2 n v. It chooses random i GF 2 n v, and defines f s,i (x) = x L+3 + x 2 (s L x L + s L 2 x L s 0 ) + ix. Finally, it sets σ = [f s,i (a)] v + b, and outputs R = v [ia]n v+ and P = (s, i, σ). Rep, on inputs w and P = (s, i, σ ), first computes w = SRec(w, s ) {0, } n. It checks that dis(w, w ) t and SS(w ) = s ; if not, then it outputs. Otherwise, let c = SS (w ) and parse c as a b with a = n v and b = v. Check that σ = [f s,i (a )] v + b : if not, output ; otherwise output R = [i a ] n v v+. Before turning to the detailed analysis, we note that the polynomial f s,i defined above differs from the message-authentication technique in the previous section only in the leading term x L+3 (and the forcing of L to be even). It has the property that for any pair (s, i ) (s, i), and for any fixed offset a, the polynomial f s,i (x) f s,i (x + a) is a non-constant polynomial of degree at most L + 2: this is easy to see for a = 0; if a 0, then the leading term is a x L+2 (recall we are working in a field of characteristic 2 and L is even). Our analysis will show that f s,i (a) amounts to a message authentication code (where the shared key a is used to authenticate s, i) that is provably secure against a class of related-key attacks where the adversary can force the receiver to use a key shifted by an offset known to the adversary. Theorem 5 Let M denote {0, } n under the Hamming metric, let SS be the (m, m k, t)-secure syndrome sketch for M, and let B denote the volume of the ball of radius t in M. Fix v, and let l = n k 2v be the length of the extracted key. Then: For any ε, δ satisfying { l 2m n k 2 max log B + log 2m n k 2 max ( 2 k n k { log B + log 2n δ, 2 log ( }, ) log ( ) ( δ, 2 log ) } ε (Gen, Rep) is an (m, l, t, -fuzzy extractor for M with pre-application robustness δ. 6